Critical F5 BIG-IP bug impacts customers in sensitive sectors


BIG-IP application services company F5 has patched more than a dozen high-severity vulnerabilities in its networking device with one of them being considered as critical severity flaw.

The issues are part of this month’s delivery of security updates that had addressed around 30 vulnerabilities for multiple F5 devices.

Of the thirteen high-severity flaws that were fixed, one becomes critical in a configuration “designed to meet the needs of customers in especially sensitive sectors” and could lead to complete system compromise.

The issue which has been dubbed as CVE-2021-23031 affects BIG-IP modules Advanced WAF (Web Application Firewall) and the Application Security Manager (ASM), specifically the Traffic Management User Interface (TMUI).

Normally, it is a privilege escalation with an 8.8 severity score that can be exploited by an authenticated attacker with access to the Configuration utility to run arbitrary system commands, which could lead to complete system compromise.

For customers using the Appliance Mode, that has some technical restrictions, the same vulnerability comes with a critical rating of 9.9 out of 10.

F5’s security advisory for CVE-2021-23031 does not provide many details on why there are two severity ratings, but notes that there is a “limited number of customers” that are impacted by the critical variant of the bug unless they install the updated version or apply mitigations.

For those organizations which could not update the devices, the only way to defend against possible exploitation is to limit access to the Configuration utility only to completely trusted users.

The other 12 high-severity security bugs that were addressed come with severity score between 7.2 and 7.5. Six of them affect all modules, five impact the Advanced WAF and ASM, and one affects the DNS module.

The flaws range from authenticated remote command execution to cross-site scripting (XSS) and request forgery, to insufficient permission and denial-of-service.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a notification about F5’s security advisory, encouraging users and administrators to review the information from the company and install the software updates or apply the necessary mitigations.


Please enter your comment!
Please enter your name here